Hi All, Why should we allow multiple OTPs for a particular user at a given time ? > Cannot we keep only one valid OTP for a user at a given time and override > it at the point of creating a new one ?
+1. Lets keep only one valid OTP. How do you plan to access the content in this table from the authentication > flow. > > What I wanted to point is, this OTP is another credential for the user. So > we should store in a "credential store" which is introduced with new user > core. > It's clear this can be use only one time but what is the scope of this OTP > ? is this can only be used to login to user-portal or can this OTP use in > any other purposes ( an example, say login to generate SAML token in a SSO > story) > Actually in this implementation we have not considered this as a password. Though we used the word OTP it is kind of a code. By using this code the user can create a new password but can not login to any portal or can not perform any task of IS. So this is not actually a credential for the user. In some cases identity admin need to set validity period on OTP so IMO we > need to support time based validity. > > I too have the same concern. What is the idea behind allowing multiple > OTPs at any point of time? Isn't the usual practice to keep only the latest > OTP active? > +1. Lets add a time based validity period. Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: hasan...@wso2.com M :0718407133| http://wso2.com <http://wso2.com/> On Wed, Mar 15, 2017 at 10:55 PM, Farasath Ahamed <mefaraz...@gmail.com> wrote: > > > On Wednesday, March 15, 2017, Dilan Udara Ariyaratne <dil...@wso2.com> > wrote: > >> >> On Tue, Mar 14, 2017 at 11:08 AM, Gayan Gunawardana <ga...@wso2.com> >> wrote: >> >>> >>> >>> On Tue, Mar 14, 2017 at 10:58 AM, Hasanthi Purnima Dissanayake < >>> hasan...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> We are in the process of implementing Admin Forced Password Reset via >>>> Offline for existing users in Admin Portal for the new IS 6.0.0 release. >>>> The wireframe design for the UI is found at [1]. >>>> >>>> Admin can select a user and generate a password for the selected user. >>>> This generated password is an OTP. >>>> >>>> This OTP is: >>>> 1. Not adhere to any password policy. >>>> 2. There is no validity period >>>> 3. Once this OTP is used it expires. >>>> 4. Not considered like a normal password and we are going to store it >>>> in IDN_RECOVERY_DATA table. >>>> >>> If admin generates two or more OTPs, what is the behavior ? >>> All valid or last one valid ? >>> Suppose there is two and we consume only first one, in that case does it >>> invalidate second one ? >>> >> >> Why should we allow multiple OTPs for a particular user at a given time ? >> Cannot we keep only one valid OTP for a user at a given time and override >> it at the point of creating a new one ? >> > > I too have the same concern. What is the idea behind allowing multiple > OTPs at any point of time? Isn't the usual practice to keep only the latest > OTP active? > > > >> >>>> [1] https://github.com/wso2-dev-ux/product-is/blob/master/Wirefr >>>> ames/admin-portal/v3/3.32%20%20Reset%20password%20with%20off >>>> line%20OTP%20-%20password%20generated.png >>>> >>>> Thanks, >>>> >>>> Hasanthi Dissanayake >>>> >>>> Software Engineer | WSO2 >>>> >>>> E: hasan...@wso2.com >>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>> >>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: ga...@wso2.com >>> Mobile: +94 (71) 8020933 >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> > > -- > *A.Farasath Ahamed* > Software Engineer | WSO2 Inc. > Mobile: +94 777 603 866 <+94%2077%20760%203866> > Blog: blog.farazath.com > E-Mail: mefaraz...@gmail.com > > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture